It has become common, and as time goes on more so, for applications to be accessed and transactions conducted remotely over public networks such as the internet. The popularity of these applications has attracted the attentions of hackers and criminal organizations. To protect the applications against unauthorized access, many application providers rely on their users having to submit, during the login, the combination of the user identification (userid) and a password. In most cases the password is static, i.e., the same password value remains valid over a relatively long period of time.
For hackers to get access to a remote application to engage in fraudulent transactions, it is sufficient to obtain a valid userid-password combination. For example, a popular method is to send fake e-mail requesting the user (with some more less credible pretext) to send his userid-password in response. This is often referred to as phishing. Another popular method is to create an imposter website that conveniently looks like the real website. Of course, when a user attempts to login, his userid-password is captured for later misuse.
Because of the ease of success hackers have achieved in obtaining valid userid-password combination, it is now widely accepted that a stactic password alone offers too low a level of security to be acceptable for applications involving financially valuable transactions and like. Accordingly, there is a need for an alternative user authentication method offering a higher level of security.
Alternative techniques do exist. These include:                1. Certificates (i.e., software, on smartcards or USB tokens).        2. Hardware strong authentication tokens.        3. Soft tokens (i.e. software emulating hardware strong authentication tokens).        4. Smart Cards.        5. USB tokens.        
In most cases users either have to be equipped with a personalized hardware device (USB tokens, Strong Authentication tokens, Smart Cards, etc. . . . ) or they must install some personalized piece of software (software certificates, soft tokens etc. . . . ). The major disadvantage of these solutions, when compared to the ordinary userid-password method, is that either:
(a) They are more costly (because of the specific hardware that is required to implement them), or
(b) They limit the mobility of the user to a specific computer (in particular the computer on which hardware or personalized software has been installed), or
(c) They are not easy to use (the user needs to follow a complicated installation procedure that might fail), or
(d) A combination of the foregoing disadvantages.
Accordingly, what is needed is a solution which provides greater security than of the userid-password but yet retains the major advantages of the userid-password, i.e. low cost, easy to use and easy to migrate from one computer to another.
Typically users use a computer, such as a personal computer (pc) to access applications on a remote server. However devices other than pc's are also used, i.e., mobile devices such as a personal data assistant (pda) and web enabled cellphones and the like. For the purposes of this application the term personal computer or pc shall include all such devices as well as other similar devices which can access through the internet a remote internet device, such as a server, and exchange information and messages by means of a browser software, whether that access is via a landline or includes a wireless component.